On May 25, 2018 the European Parliament entered into force the General Data Protection Regulation or GDPR.

The Regulation will have a significant impact on the fitness industry, bringing with it both challenges for compliance as well as opportunities to achieve competitive advantage.

What is the GDPR?

The GDPR is the new sweeping European Union (EU) legislation that modernizes and reforms the laws that address the handling of personal data. It applies to the personal data of EU citizens regardless of where it is collected, stored or processed and replaces the European Data Protection Directive (95/46/EC) which was implemented inconsistently across Europe and did not have legislative authority.

GDPR in 1 minute

Consent: Organisations, businesses and even sports teams need to get consent from their members to store and use personal information. You will have to provide them with a clear and explicit description about what the information will be used for. It must be as easy to withdraw the consent as it is to give it.

Rights of Data Subjects: Individuals have the right to know how they can access, correct and delete the information you collect about them. They have the right to object to direct marketing and in certain situations the processing of their data and also the right to be forgotten where there is no compelling reason for retaining their details.

Data Security and Privacy by design: IT systems must minimize the risks of unauthorized access to and/or loss of personal data. They should also be designed to process and store only that information which is required to fulfil the purpose for which it was collected.

Data Breach Notification: Businesses and organisations must report security breaches related to data privacy within 72hrs, and individuals have the right to be notified if a breach puts their rights and freedoms at risk.

As a gym or health club, you regularly collect personal identifiable information such as :

Name

Date of Birth

e-mail address

Physical Address

Membership number

Telephone Contact

Pictures of persons

Visit information

IP-addresses

Billing details

What does this mean for your club?

As you collect data about your members, you are designated as a data controller under GDPR – this means that you determine the purpose and means of processing the data your business uses. Under Article 28 of the regulation you have a responsibility to implement appropriate technical and organisational measures to demonstrate that when you collect personal data, it is processed in a manner compliant with the requirements of the GDPR. Businesses who fail to comply can be fined up to £17m or 4% of their global turnover, whichever is higher.

What about my Club Management provider?

You should immediately investigate if your current membership database / membership management system can handle the updated requirements on how to handle personal data, as you are obliged to only use providers (known as data processors) that can provide sufficient guarantees that they can meet the requirements of the regulation.

ClubWise is ahead of the game…

Our solution has been developed in accordance with the privacy by design principle, which means we already operate in accordance with the principles of GDPR on a technical and operational level to keep your data secure. We can also support you to meet your obligations under GDPR through:

• We do not share personal data with any third party.
• We can facilitate exporting your membership information if require
• We have created tools and guides that help your club on its journey to GDPR compliance.